Hi Ken,
There are two usually stated reasons for switching on HTTPS.
1. Better SEO (not sure whether that's a thing that HPR will care *that*
much about?)
2. Reducing the risk of your ISP/Law Enforcement Community/Malicious
nare-do-well being able to man-in-the-middle a connection between you (the
browser/listener) and the web server, and inject content without there
being some sort of obvious injection.
The second item is usually the reason that people turn it on by-default.
For example, if you've gone to a coffee shop, and you join the free WiFi
there ("Bob's Coffee Shop WiFi") but it's actually the shady looking dude
in the corner's girlfriend with the MITM box in her handbag, and you browse
to an HTTP based site, then they *could* replace elements of the content
with content they wanted.
For an actual, real world example. In 2014, Comcast were still injecting
Javascript based adverts into HTTP websites you browsed to:
https://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
Honestly, most web servers now have the CPU features enabled that don't
make stuff like HTTPS encryption-by-default a resource hog, so I'd be
happier knowing that HPR had it switched on... Otherwise "THE MAN" might be
able to add some javascript to your website to make me DDOS ubuntu.com (*)
;)
(*) Context, the "Great Firewall of China" added Javascript to pages served
by Baidu to make repeated requests to github's hosting of GFOC bypass
technologies in 2015 in an attempt to DDOS the site.
--
Jon "The Nice Guy" Spriggs
@jontheniceguy everywhere...
https://jon.sprig.gs
On Wed, 15 Dec 2021 at 09:24, <[email protected]> wrote:
> > Admins,
> >
> > Ever considered using an LE cert for https for the website and putting a
> > redirect in place
> > to avoid browser security warnings?
> >
> > Cheers, Chris
> > --
> > This email account is monitored seven days a week.
> >
> > _______________________________________________
> > Hpr mailing list
> > [email protected]
> > http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
> >
>
> We already have a https version of the site https://hackerpublicradio.org
>
> Issued For hackerpublicradio.org
> Issued By cPanel, Inc., US ( cPanel, Inc. Certification Authority )
> Signature Algorithm RSA-SHA256
>
> If there is anyone browsing the https site and is getting unencrypted
> content back that should be fixed. Please ping me and I'll look into it.
>
> As far as discussing an automatic redirect from http to https, I would
> like to be convinced of the need to do this. Everything on HPR is public
> and open, so why should it be redirected to the encrypted version ?
>
> My personal (hpr host - not admin/janitor) mood on the topic is swaying
> between it allows people to be browsing the site more privately, to
> getting annoyed that this is been forced on everyone. So I for one would
> not be in favour of forcing people from http to https automatically. We
> already have a https site. If people want to use it then they may. If they
> don't then they don't have to.
>
> What am I missing in the discussions ?
>
> --
> Regards,
>
> Ken Fallon (PA7KEN,G5KEN)
> https://kenfallon.com
> https://hackerpublicradio.org/hosts/ken_fallon
>
>
>
>
> _______________________________________________
> Hpr mailing list
> [email protected]
> http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
>
_______________________________________________
Hpr mailing list
[email protected]
http://hackerpublicradio.org/mailman/listinfo/hpr_hackerpublicradio.org
